The IIA Textbook 5th Edition

cover of the 5th edition of the IIA textbook

Internal Auditing: Assurance & Advisory Services, 5th Edition, is a comprehensive textbook designed to teach students the evolving global profession of internal auditing. Written through the collaboration of educators and practitioners, this resource serves as a cornerstone for internal audit education. It covers key fundamentals of internal auditing that can be applied in an ever-changing business world, and is long considered an essential addition to every internal auditor’s bookshelf.

The updated text completely aligns with The IIA’s Code of Ethics and International Standards for the Professional Practice of Internal Auditing. The fifth edition features online student and instructor tools, including case studies, videos, editable documents for performing end of chapter exercises, and Protiviti’s KnowledgeLeader®. Instructors also have access to supplemental teaching materials upon request.

Source: theiia.org

Internal Auditing: Assurance & Advisory Services, 5th Edition

Use the buttons on the right to expand and read each chapter.

Chapter 1: KnowledgeLeader Introduction

This section of KnowledgeLeader's University Center is designed to support The IIA Textbook, 5th Edition and provide entry-level internal audit and risk management content to students.

KnowledgeLeader is a subscription-based website that provides audit programs, checklists, tools, resources, and best practices to help busy professionals save time and stay on top of business and technology risks.

Student Instructions:

Students will receive a link from their professors to activate their accounts on KnowledgeLeader. Please note that usernames and passwords must be kept confidential; users may not republish, license, sell, copy or display any portion of the KnowledgeLeader website elsewhere, except within the context of appropriately attributed academic coursework.

Each case exercise will be introduced in the Cases section of the pertinent chapter(s).

Read KnowledgeLeader's Internal Audit and Risk Management: The Basics page to obtain an introduction to the internal audit profession.  

Professor Instructions:

If you do not already have a Professor account on KnowledgeLeader, please click "Sign up as a Professor" on this page and complete the registration form.

Once your account is created and active, you will be able to navigate to your My Account area to access your unique Group Access code.  This is your link to copy and share with your students. When they follow your link, they will be directed to create their own complimentary KnowledgeLeader accounts on our site in a few easy steps.

For your convenience, once you professor account is activated, your access will be active for 10 years, and you will not need to request access again during that period. When a new semester starts, you can share your access link with your new group of students so that they can sign up.

Chapter 2: Internal Auditor Independence & Objectivity

Background Information

As indicated in the standards, the internal audit function must be independent, and internal auditors must be objective in performing their work. As indicated in the chapter reading, independence and objectivity together represent one of three pillars supporting effective internal audit services. It is also important to note that independence and objectivity are two distinct, yet interrelated, concepts that are fundamental to providing value-added internal audit services.

Utilize the KnowledgeLeader website and perform the following:

  1. Log in to the KnowledgeLeader website with your username and password.
  2. Perform research and define what it means for an internal auditor to be independent. Contrast internal audit independence with internal auditor objectivity. Why is it important for an internal audit function to be independent and internal auditors to possess objectivity?
  3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

Chapter 3: Multiple Lines of Defense

Background Information

Many organizations have multiple avenues for ensuring that they operate within their risk appetite. Organizations operating in a highly regulated environment have a need to demonstrate that they have mitigated the many risks that threaten them to a reasonable level. To do so, they implement a technique of assurance layering to get the risk mitigation they need or desire. One common example of this strategy is the Three Lines Model. However, this is not the only model.

Utilize the KnowledgeLeader website and perform the following:

  1. Log in to the KnowledgeLeader website with your username and password.
  2. Perform research and identify alternative model(s) of assurance layering other than the Three Lines Model. Compare and contrast the(se) model(s). How do they differ? How are they similar?
  3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

Chapter 4: Alternative Risk Management Frameworks

Background Information

In the United States, COSO published its Enterprise Risk Management – Aligning Risk with Strategy and Performance (COSO ERM, or ERM framework) in 2017. In 2004, COSO identified a need for a robust framework to help companies effectively identify, assess, and manage risk. the resulting risk management framework expanded on the previously issued Internal Control – Integrated Framework, incorporating all key aspects of that framework into the broader ERM framework. COSO updated its Internal Control – Integrated Framework in 2013 and released an update to the 2004 ERM framework in 2017. COSO defines ERM as the culture, capabilities, and practices, integrated with strategy-setting and its execution, that organizations rely on to manage risk in creating, preserving and realizing value.

In 2009, the International Organization for Standardization issued its standard ISO 31000:2009 (ISO 31000), the first globally recognized standard related to risk management. ISO 31000 was developed to provide a globally accepted way of viewing risk management, taking into consideration principles, frameworks, models, and practices that were evolving around the world. ISO 31000 includes three sections—principles, framework and process.

Utilize the KnowledgeLeader website and perform the following:

  1. Authenticate to the KnowledgeLeader website using your username and password.
  2. Perform research on these two globally recognized risk management frameworks. Compare and contrast these frameworks. How do they differ? How are they similar?
  3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

Chapter 5: Reporting on Controls at a Service Organization

Background Information

Statement on Standards for Attestation Engagements (SSAE) 18, updates requirements for reporting on controls of a Service Organization (SOC 1, 2 and 3 reports). SSAE 18 was issued in April 2016 and became effective in May 2017. SSAE 18 is largely an American standard, but it mirrors International Standards for Assurance Engagements (ISAE) 3402, Assurance Reports on Controls at a Service Organization. SSAE 18 provides guidance to service auditors when assessing the internal control of a service organization and issuing Service Organization Controls (SOC) reports.

SOC 1 reports primarily address the internal controls related to financial reports. There are two types of SOC 1 reports. SOC 1 Type I is an attestation on the description of controls provided by management of the service organization and adequacy of their design and implementation. SOC Type 2 extends this to include
an attestation about the operating effectiveness of the controls.

SOC 2 reports focus is on information and IT security identified in one or more of the five Trust Services Categories – security, confidentiality, information privacy, processing integrity and availability. SOC 2 reports can also be Type I or Type 2.

SOC 3 reports are similar to SOC 2 reports but are created for a general audience. Examples of service organizations are insurance and medical claims processors, trust companies, hosted data centers, application service providers (ASPs), managed security providers, credit processing organizations, and clearinghouses.

Utilize the KnowledgeLeader website and perform the following:

  1. Log in to the KnowledgeLeader website with your username and password.
  2. Perform research and identify the circumstances under which obtaining a SOC report is justified. Explain the differences between a SOC 1 Type I and Type II report. Determine when it would be appropriate for a Type I rather than a Type II report.
  3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

Chapter 6: Adapting Internal Controls Related to Compliance Risks in a Rapidly Changing World

Background Information

Compliance with applicable laws and regulations has always been an important component of every organization’s control environment and the scrutiny over how effectively organizations are managing it has only increased in light of the many challenges impacting them today.

Utilize the KnowledgeLeader website and perform the following:

  1. Log in to the KnowledgeLeader website with your username and password.
  2. Perform research and identify the various challenges organizations are facing today regarding their ability to leverage existing internal controls to continue to comply with the laws and regulations applicable to them and what changes to their internal controls might be warranted.
  3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

Chapter 7: Internet of Things (IOT) and Smart Cities

Background Information

The internet of things (IOT) has expanded rapidly and provides new capabilities for many organizations, but as the IOT has provided new business efficiencies, it has also created new risks and challenges. You are the head of the internal audit function for a large city in Canada that is planning to become one of the most advanced smart cities worldwide. You have been asked by city management to research the potential applications that citizens and the city could leverage to assist in this effort to become a world-class “smart city.” One of the areas that significantly changed the business process through automation was eliminating the need for utility employees to manually read meters and check electric usage every month. This is just one example of the many applications the city has already implemented, and it is looking for additional innovation that can improve the efficiency and effectiveness of operations while reducing costs. The city manager has asked for your help… She would like for you to identify and rank the 10 business applications that could provide the “biggest” benefits, along with what potential risks might be encountered with the implementation of these applications.

Utilize the KnowledgeLeader website and perform the following:

  1. Log in to the KnowledgeLeader website with your username and password.
  2. Research KnowledgeLeader, along with the internet, to learn as much about “smart cities” and how 5G networks and connectivity can transform the efficiency and information used within a city as you can. For your choice of top ten applications for the IOT, include a description of each, along with a narrative on what risks might be present with the application, if adopted and implemented.
  3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

Chapter 8: Fraud Root Cause Analysis

Background Information

Fraud is a prevalent activity and there are many techniques, methods and motivations to fraud. Often, fraud that is uncovered is just a symptom of other issues and problems. Typically, after a major fraud is identified, a postmortem with the business, investigators and internal audit function is performed.

Choose and research two actual corporate frauds and examine how internal auditors deal with fraud along, the postmortem and the resulting impact to the organization (choose one from within the United States and one outside the United States). Study the root cause of the fraud and what techniques could have prevented the fraud from occurring or what could prevent such a fraud in the future.

Utilize the KnowledgeLeader website and perform the following:

  1. Log in to the KnowledgeLeader website with your username and password.
  2. Prepare a summary PowerPoint presentation that includes a few slides outlining the case and summarizing the fraud, approximate loss, who was involved, what the root cause was, what actions have taken place and what recommended corrective actions would decrease the chance of it happening again in the future.
  3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

Chapter 9: Multiple Lines of Defense

Background Information

Many organizations have multiple avenues for ensuring that they operate within their risk appetite. Organizations operating in a highly regulated environment have a need to demonstrate that they have mitigated the many risks that threaten them to a reasonable level. To do so, they implement a technique of assurance layering to get the risk mitigation they need or desire. One common example of this strategy is the Three Lines Model. However, this is not the only model.

Utilize the KnowledgeLeader website and perform the following:

  1. Log in to the KnowledgeLeader website with your username and password.
  2. Perform research and identify alternative model(s) of assurance layering other than the Three Lines Model. Compare and contrast the(se) model(s). How do they differ? How are they similar?
  3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

Chapter 10: Information Produced by the Entity

Background Information

Companies are facing heightened regulatory expectations. One area of particular interest is information or data produced or manipulated by employees or company systems that are relied on by management to perform key controls or to make significant business decisions. Regulators commonly refer to this information or data as information produced by the entity (IPE). When IPE is identified, regulators expect management to verify (test) the completeness and accuracy of the information or data used by management to perform key controls or that is relied on to make significant business decisions. There is also an expectation that both external and internal auditors will determine if IPE is appropriately verified before management relies on such information or data.

Utilize the KnowledgeLeader website and perform the following:

  1. Log in to the KnowledgeLeader website with your username and password.
  2. Perform research and identify the most common types or forms of IPE. What are key risks associated with management’s reliance on IPE? Identify the most common strategies for testing IPE.
  3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

Chapter 11: Data Analytics Techniques With a Limited Budget

Background Information

You work as part of a small but resourceful internal audit function at a major University. Like most university internal audit functions, you are faced with a limited budget, no data analytics skills on your staff and no ability (resources) to outsource data analytics to a third-party service provider (way too expensive). The university’s internal audit function for which you work has an Internal Audit Education Partnership program (IAEP) that teaches internal audit and several data analytics courses.

Utilize the KnowledgeLeader website and perform the following:

  1. Log in to the KnowledgeLeader website with your username and password.
  2. Determine which high-risk areas would benefit the most from leveraging data analytics software and which data analytics techniques could be adopted. How might you go about providing some data analytics support to your internal audit function, and what tools would you utilize that are readily available (taught in the various data analytics courses offered in the IAEP program) at your university?
  3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

Chapter 12: Blending Assurance and Consulting Internal Audit Engagements

Background Information

Blending assurance and consulting services into a single engagement is evolving as a way for internal auditors to realize efficiencies that might not exist when these services are performed separately. In fact, some internal audit functions may be conducting “blended engagements” without even realizing it. Internal auditors can follow a principle-based model that offers professional guidance for implementing this approach without violating existing standards of practice.

Utilize the KnowledgeLeader website and perform the following:

  1. Log in to the KnowledgeLeader website with your username and password.
  2. Perform research and identify the primary purpose of an assurance engagement and a consulting engagement. Also, identify elements that are the same or similar. Finally, identify the concerns with combining assurance and consulting services and how a single blended engagement can be performed without jeopardizing audit effectiveness or objectivity.
  3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

Chapter 13: Performing Effective Analytical Procedures

Background Information

Understanding the detailed tasks in a process is an important step in planning an assurance engagement. However, these tasks describe the way a process is designed to perform, but they provide little indication regarding how effectively they are carried out. Performing analytical procedures is one way that internal auditors conduct high-level assessments that may reveal process activities that warrant closer attention and, accordingly, more detailed testing during an assurance engagement. Analytical procedures involve reviewing and evaluating existing information, which may be financial or nonfinancial, to determine whether it is consistent with predetermined expectations.

Utilize the KnowledgeLeader website and perform the following:

  1. Log in to the KnowledgeLeader website with your username and password.
  2. Perform research and identify the characteristics of effective analytical procedures used during the planning phase of an assurance engagement.
  3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

Chapter 14: Agile Internal Audit Methods

Background Information

Internal audit functions are always looking for ways to do more with less and be more efficient with the limited resources available. As a result, many internal audit functions are evaluating and adopting "agile" internal audit methods. "Agile" was originated as a project management discipline created by software developers to address challenges that evolve and are resolved through the continuous collaboration of small cross-functional teams. Internal audit functions are adapting these methodologies to their work to provide faster, deeper and more valuable insights.

Utilize the KnowledgeLeader website and perform the following:

  1. Log in to the KnowledgeLeader website with your username and password.
  2. Perform research and identify the primary characteristics of internal audit agile methods. Identify the ways internal audit functions are adopting fast and flexible “agile” development methodologies to better align internal audit activities with business processes.
  3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

Chapter 15: Reporting Material Weaknesses

Background Information

As indicated in the chapter, if an observation, or a group of observations, is assessed to be material, communication must be formal and include senior management, the organization’s independent outside auditor and the audit committee. Additionally, for publicly owned companies over a specified size and if the observation concerns internal controls over financial reporting and disclosure controls and procedures, the U.S. Sarbanes-Oxley Act of 2002 and financial reporting regulations in other countries require management to qualify their opinion on internal controls over financial reporting (and disclosure controls and procedures) and formulate a remediation plan to correct the weakness identified in the controls in question. Management must continue to qualify its opinion on internal controls over financial reporting (and disclosure controls and procedures) until the material weakness (observation) is remediated and management has verified through control retesting that the control in question is designed adequately and operating effectively. If management determines it is necessary to qualify its opinion on internal controls over financial reporting (and disclosure controls and procedures), this fact must be reported to its stakeholders according to the laws of the country in which it operates.

Utilize the KnowledgeLeader website and perform the following:

  1. Log in to the KnowledgeLeader website with your username and password.
  2. Perform research and determine the reporting requirements for a publicly traded company that has identified a material weakness related to internal control over financial reporting (and disclosure controls and procedures). Identify the various types of control weaknesses as defined by Section 404 of the Sarbanes-Oxley Act. Identify the required disclosures and provide an example of management’s report and the independent outside auditor’s report provided to the company’s shareholders (this will require research outside of KnowledgeLeader).
  3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources:

Chapter 16: The Internal Auditor as a Trusted Advisor

Background Information

Emphasis in recent years has been placed on control testing to ensure that controls are working effectively and efficiently, but emerging thought leadership indicates that the internal audit value proposition can best be accomplished through internal audit consulting services. The term "Trusted Advisor" is being used more frequently to describe internal auditors as they strive to add additional value as they gain management’s confidence through the impactful consulting services they provide.

Utilize the KnowledgeLeader website and perform the following:

  1. Log in to the KnowledgeLeader website with your username and password.
  2. Perform research and define what it means to be a "Trusted Advisor." What are the best or better practices and/or characteristics that could lead to an internal auditor becoming identified (labeled) as a Trusted Advisor in the eyes of the board audit committee or management they support?
  3. Submit a brief write-up indicating the results of your research to your instructor.

Helpful KnowledgeLeader Resources: